Re: Comments on 5 IE vulnerabilities

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Mon, 1 Dec 2003, Thor Larholm wrote:

> How, you might ask? Simple, I have locked down the My Computer security
> zone on my installations [1].

Considering the complexity of such a change (isn't it funny you say
"Simple" here and go on to explain how tricky the change is?), and the
fact it clearly goes right against MS's own intentions, it might be
easier, simpler and more reliable to send MSIE to where it belongs (to
the digital hell, IMHO...yes, I am biased) and use another browser.

> As a final comment, I do believe that vulnerability researchers should
> notify vendors of potential vulnerabilities and give them some time to
> fix these before exposing the public to the dangers of those
> vulnerabilities. Posting demonstratory proof-of-concept code has served
> to apply pressure in the past towards unresponsive vendors, but not
> giving the vendors any chance to respond at all in the first place is
> simply irresponsible and jeopardizes the security of the Internet as a
> whole.

What about vendors who fix implementation errors but refuse to fix fatal
design errors?

In the MSIE's case, the fatal design error is a poor separation of zones
(anyone who knows a little bit about mandatory access control and
information labelling should be able to prevent any future vulnerabilities
of this kind rather easily) or, from a more extremist point of view, the
mere existence of the "My Computer Zone"--why the hell should a piece of
code running on the top of a *web* browser ever be allowed to mess with my
computer?


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."